Should network printers be patched?

by Editorial staff

Security personnel often don't give network printers much attention; after all, they are "only printers." In this SearchSecurity.com Q&A, Ed Skoudis explains why such devices are, in fact, a juicy target and need to be properly patched and hardened.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

or actions needed to ensure printers aren't a weak point on my network? You are correct: printers are a juicy target for several reasons. First off, they often store sensitive documents in their print spool. Printers are often combined with a document scanner, too, and docs are often stored in the scanning archive for far longer than most people expect.

Second, combination printer/scanner/fax machines are increasingly sophisticated, and they have general-purpose computers installed inside to control all of the action. Attackers can access printers in several ways, such as a modem, wireless access point, or through a jump-off from spyware-infected desktops. After gaining access, they can use this power to hit other machines on your internal network.

Thirdly, Windows and Linux systems are often built into many modern printers. Because these computer controllers get little hardening and patching attention, they are often vulnerable.

Fourthly, most printers have unfettered access to an internal network. Thus, an attacker who compromises a printer can scan all over for exploitable systems.

Finally, security personnel often don't monitor or give such devices much attention because, after all, they are "only printers." This last perspective is quite unfortunate.

So, what can you do? First, harden your printers. Shut off any unneeded services that the printer offers, such as File Transfer Protocol (FTP). Most organizations do not need FTP access to their printers, and it can often cause more harm than good. For instance, some printers allow an attacker to make FTP requests and take jobs off of a print spool anonymously. Also, many FTP services on modern printers are subject to FTP bounce attacks. With a tool like Nmap, an attacker can obscure the source of a port scan, convincing a compliant FTP server to allow proxy FTP connections. For more details on these types of bounce attacks, check out the great write-up by Fyodor, the author of Nmap. While such FTP bounce scans are old techniques, I have found that a remarkable number of brand-new print servers are susceptible to such attacks.

Next, shore up the management protocol used for the printer. Most modern printers support some sort of management via HTTP and/or HTTPS, and a few even support Telnet or Secure Shell (SSH). Carefully choose a management protocol that provides encryption, like HTTPS or SSH.

By default, most printers allow admin access with either no password or a widely known default one. Change the password to a value that is more difficult to guess.

Lastly, make sure that your printer doesn't have wide-open access to the rest of your internal network. Consider putting your printers on their own private VLAN. Filter access to that LAN so that the printer can receive print jobs, but not initiate connections to any other systems. Going further, if you have the budget and the time, you can even put a firewall in front of your printers to really limit access to and from them.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy